Online tracing scanning worm with sliding window

Abstract

Breaking out of network worms brings a tremendous damage to the Internet. Launch the worm defense and response can improve anti-attack capability of networks. Tracing worm propagation process after its outbreak can reconstruct not only the earliest infected nodes but also the timing order of victims been infected. Based on the improvement of existing offline worm tracing algorithm, we can realize the near real-time tracing for the propagation process of scanning worm: Network traffic data are real-time collected by the detection points from different LANs, then separated into continuous-time detection sliding windows; in every time window, we repeatedly and randomly collect paths that contain worm scanning and infected flow rate, reconstruct path of worm propagation in the current detection window. Results accumulated in sequential detection sliding windows continues doing feedback amendment, real-time reflect the process of worm propagation. we establish a virtual experimental environment of worm propagation and tracing to evaluate the algorithm. Tracing network worm propagation from the initial attack can inhibit continuous spread of the worm, ensure that no more host is infected by the worm, and provide basis for the determination of worm attack origin. © 2008 Springer-Verlag Berlin Heidelberg.